NEW YORK (GenomeWeb) – Four patients have filed a complaint with the Office for Civil Rights accusing Myriad Genetics of violating a federal law by withholding variant data detected during testing.

The patients — Barbara Zeughauser, Ken Deutsch, Runi Limary, and AnneMarie Ciccarella — received genetic testing from Myriad to assess their risk for cancer. In February, asserting their rights under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, they requested access to all genetic variants identified during testing.

In response in March, Myriad provided the patients with information on their clinically significant variants, but withheld those that the company deems benign or clinically insignificant and doesn't include in test reports. Today, hours before the patients went public with their complaint, Myriad told GenomeWeb that it recently sought guidance from the OCR regarding its obligations under the HIPAA Privacy Rule, and voluntarily provided the requested information yesterday evening.

"We have complied with the patients' requests and believe the complaint should be dropped," said Ron Rogers, Myriad's executive VP of corporate communications.

In response, Sandra Park, senior staff attorney with the American Civil Liberties Union, which is representing the four patients, said they will still file their complaint with OCR. "We're continuing to move forward with the complaint in order to … address the larger issue of whether the lab will provide this data to every patient who seeks it," Park said during a call to discuss the complaint.

She noted that although Myriad told patients they were providing the information voluntarily, "they did not confirm their obligations under HIPAA." The ACLU hopes that as a result of OCR's investigation and efforts to resolve the matter, Myriad will "adopt a policy consistent with HIPAA" regarding the release of genomic variant data to patients who request it.

Orchestrated effort

Zeughauser, Deutsch, Limary, and Ciccarella have a personal or family history of cancer, and had their BRCA1 and BRCA2 genes tested with Myriad's BRACAnalysis test over the last decade. Mutations in the two genes account for up 10 percent of all breast cancers and 15 percent of ovarian cancers, and also increase the risk of prostate and pancreatic cancers. But these two large genes are highly variable, and while not everyone will have a variant that is associated with disease risk, many will have variants that are benign.

The patients note in their complaint that they're particularly interested in benign variants that are not included in their test report from Myriad. They want this data in hand, so they can be more proactive about monitoring their families' and their own cancer risk, contribute their data to research, and improve understanding of genetic variants by submitting to public databases. They also noted that they want "to confirm Myriad's interpretation of variants identified in their genes."

Their actions are part of a larger push in the genomics space, and in healthcare in general, to encourage data sharing and break data silos in healthcare, and it's no accident that the ACLU filed the HIPAA complaint against Myriad on behalf of patients. A few years ago, the ACLU helped patients, genetic counselors, and scientific associations challenge Myriad's patents on BRCA1 and BRCA2 genes in the Supreme Court.

The court invalidated several of Myriad's patent claims and deemed isolated gene sequences patent ineligible. This landmark decision opened up competition in the genetic testing market, particularly in areas where a single lab provided testing for a gene. Myriad held a monopoly for nearly 20 years when it came to testing BRCA1/2 genes.

In the absence of gene patents, however, some industry observers predicted that labs would seek advantages through trade secrets, keeping their discoveries about links between genes and diseases locked up in proprietary databases. Myriad has such a database, which contains information on 17,000 BRCA variants and 46,000 variants in total.

The Global Alliance for Genomics & Health (GA4GH), an international coalition that is working to aggregate data from around the world on BRCA variants, provided a letter in support of the patients' complaint. Rachel Liao from GA4GH said that while many labs around the world are contributing to this data-sharing effort, Myriad is not. Myriad also doesn't contribute to ClinVar, a freely available archive of genotype and phenotype relationships the NIH publicly launched three years ago.

Myriad used to share data in public databases but stopped doing so some years ago. The company has claimed this is because such databases are rife with conflicting classifications, but Myriad's critics have said the firm stopped sharing as a business advantage over competitors. However, Johnathan Lancaster, chief medical officer at Myriad Genetic Laboratories, recently countered critics and told GenomeWeb that the company does share data by publishing extensively on variants, its classification methods, and the validity of its tests. The firm also has approval from the US Food and Drug Administration for its BRACAnalysis test as a companion diagnostic that identifies best responders to the ovarian cancer drug Lynparza.

Rogers characterized the latest HIPAA complaint spearheaded by the ACLU as an orchestrated "political stunt" since all the patients submitted form letters on the same day. Yesterday evening, in addition to providing patients the information they requested, the company announced plans to launch a web portal that will give patients "access [to] their personal test results," as well as tools to help them track their health and the cancer risk in their families.

That third objective ... positions the HIPAA access right as a crucial access-forcing mechanism that enables people to free their data that is 'siloed' in laboratories.

Patient rights

Recent changes to the HIPAA Privacy Rule have vastly expanded patients' rights when it comes to data they can request from labs. As of Oct. 6, 2014, individuals have the right to inspect and receive copies of their "designated record set" (DRS) from HIPAA-covered entities.

A DRS, as defined in the HIPAA Privacy Rule, comprises medical, billing, payment, claims, health plan enrollment, case management, and any other records used to make decisions about an individual. An individual has "a broad right of access to any or all of his or her health information" in a DRS, and can request information in one or more DRS, even if the data reside at different sites or are archived, as long as a lab keeps that data.

Specifically with regard to genomic test results, the HHS explained in a "Frequently Asked Questions" document this January that a DRS maintained by a lab includes not only test reports but also the "underlying information generated as part of the test, as well as other information concerning tests a laboratory runs on an individual." Moreover, labs that are HIPAA-covered entities and conduct next-generation sequencing — which Myriad is and does — have to provide individuals who request information related to genomic testing "with a copy of the completed test report, the full gene variant information generated by the test, as well as any other information in the designated record set concerning the test."

Exercising this right, Zeughauser, Deutsch, Limary, and Ciccarella wrote to Myriad in February asking for their DRS, specifying that they wanted records related to the clinical interpretation of variants, raw genomic sequencing reads, assembled sequences kept in specific file types (BAM, SAM, CRAM), a list of all identified variants, particularly benign variants.

In one of its letters to patients, Myriad states that the Privacy Rule's definition of a DRS doesn't comprise the variant data being requested. The firm explains that because of the growing demand and complexity of genetic testing, labs have to deal with more data and administrative burdens, and so Myriad's practice is to "not …maintain much, if any," of the data the patient requested. More specifically, Myriad said it doesn't retain the types of files requested and doesn't generate VCF files.

According to Rogers, Myriad gets between 35 and 40 requests for test reports daily, and occasionally, when a doctor asks for additional information on benign polymorphisms, the company provides it. However, before the four patients submitted their request in February, patients had never asked for this information, he said.

Rogers added that what Myriad initially provided to patients in March is the historical standard across industry as to what is provided to a patient as part of a DRS. Although HHS advanced the original amendments to the Privacy Rule after giving industry and other stakeholders notice and opportunity to comment, he noted that the government issued the clarifying FAQs that included details related to genetic information without giving the public an opportunity to weigh in.

Barbara Evans, a HIPAA scholar and director of the Center for Biotechnology & Law at the University of Houston Law Center, told GenomeWeb that it's fairly common for federal agencies to give informal guidance or policy statements to explain how they intend to interpret their own regulations.

"In issuing the FAQs guidance, OCR interpreted the term 'designated record set' in the HIPAA Privacy Rule as including underlying data generated during the course of genomic testing," said Evans, who agreed to provide comments on the law but has not seen the complaint filed today and declined to comment on it. "That wasn't really doing anything new. It was simply applying principles HHS already announced in the preamble to the original HIPAA Privacy Rule published on Dec. 28, 2000."

Then, in the preamble to the Feb. 6, 2014 final rule that expanded patients' access rights, the agency explained that the aim was to improve privacy protections, further enable people's ability to participate in their own healthcare, and spur the development of health information technology. "That third objective, in my view, positions the HIPAA access right as a crucial access-forcing mechanism that enables people to free their data that is 'siloed' in laboratories," said Evans.

In April, Myriad and the American Clinical Laboratory Association met with OCR to obtain further clarification on the guidance it provided. Rogers noted that the broad interpretation of the Privacy Rule could significantly impact labs and suggested there are industry-wide concerns. "Depending on how it's interpreted it could mean, for example, that if you went and got a cholesterol test, you could ask for that test result and all the underlying data that was used to generate the normal values for cholesterol," he said.

Following its meeting with OCR, Myriad said it began voluntarily collecting the additional variant information requested by the patients. On May 18, the lab provided the benign polymorphism data to the four patients who have filed the HIPAA complaint and to three patients who submitted similar requests.

[This] is an exercise to "force laboratories' hand" in sharing data and recognizing its importance in quality assurance and advancing knowledge.

Precision medicine era

OCR Director Jocelyn Samuels wrote in a recent post on HHS.gov that "far too often individuals face obstacles accessing their health information, even from entities required to comply with HIPAA."

However, projects like the Precision Medicine Initiative are relying on the "partnership" of 1 million Americans who have to be willing to donate their medical information. Projects like this will only succeed if patients exercise their healthcare data rights under the Privacy Rule, Samuels said, and can send their information "wherever they want it to go," such as to researchers. This ability, she wrote is necessary for creating a "healthcare ecosystem of the future, where the individual is at the center of his or her care."

Evans, who has written extensively on the impact data access rights under the Privacy Rule would have on genomics labs, told GenomeWeb that neither labs nor patients legally own the data held in health databases, and that's as it should be. "The reality is that labs, providers, patients, research subjects, and society at large all have various important interests in controlling, accessing, and using health data," she said. "Data ownership, if it existed, would inevitably have to be some form of shared control.”

Previously under HIPAA patients lacked meaningful access to their health records. "Patients' HIPAA right to clinical data was too lightly enforced, and patients didn't have access to their laboratory data," Evans said. "Now they do." Getting healthcare data "de-siloed" is an important first step to advancing research, she added, but "that still leaves the collective action problem of how do you get people excited about contributing their data for research."

In the present complaint against Myriad, the patients said they were eager to contribute to large databases like ClinVar for the purpose of advancing research. Limary, a 39-year-old Asian-American woman who lives in Texas and was diagnosed with aggressive breast cancer in her 20s, received testing from Myriad in 2007 and found out she had a variant with unknown association to cancer. Eventually, in 2011, Myriad reported that her variant was likely benign, but Limary noted there wasn't much information about variants like hers in the public domain, and so she wants to put her data out there.

"My body, my blood, my data, my choice how I wish to share that information," said Ciccarella during the ACLU-hosted call today. Testing through Myriad revealed in 2006 that she had a variant of unknown significance in both BRCA1 and BRCA2, which the lab subsequently reclassified as benign and likely benign. Yesterday, she learned from Myriad that she has 10 variants on BRCA1 and five variants in BRCA2.

"We simplify the world by saying that variants are either pathogenic or benign, or we're in some state of uncertainty between the two, and we'll eventually figure out whether it goes in one bucket or the other," said Heidi Rehm, director of the Laboratory for Molecular Medicine at Partners HealthCare Personalized Medicine, who wrote a letter in support of the patients' HIPAA complaint. "But the truth is that some of these variants that appear benign at first may end up having a mild contribution to disease. We're only going to figure those out if we have larger datasets."

Rehm has been encouraging labs to be more transparent about their variant classification process, submit to ClinVar, and collaborate to resolve discrepancies. She acknowledged that published data shows that 17 percent of variants submitted by multiple labs to ClinVar have conflicting interpretations, which indicates that labs are sometimes classifying variants differently and patients are getting inconsistent interpretations.

But Rehm and others believe that public databases are necessary to shed light on these discrepancies and where labs need to reassess data. The FDA, insurers, and peer-reviewed journals are also encouraging or even requiring deposit of variant data to open databases.

Rehm characterized the present HIPAA complaint as an exercise to "force laboratories' hand" in sharing data and recognizing its importance in quality assurance and advancing knowledge. "It's for purposes that will help patients," she said.